lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php

   1 <?php
   2
   3 /**
   4  * Validates name/value pairs in param tags to be used in safe objects. This
   5  * will only allow name values it recognizes, and pre-fill certain attributes
   6  * with required values.
   7  *
   8  * @note
   9  *      This class only supports Flash. In the future, Quicktime support
  10  *      may be added.
  11  *
  12  * @warning
  13  *      This class expects an injector to add the necessary parameters tags.
  14  */
  15 class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
  16 {
  17     public $name = "SafeParam";
  18     private $uri;
  19
  20     public function __construct() {
  21         $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
  22         $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
  23     }
  24
  25     public function transform($attr, $config, $context) {
  26         // If we add support for other objects, we'll need to alter the
  27         // transforms.
  28         switch ($attr['name']) {
  29             // application/x-shockwave-flash
  30             // Keep this synchronized with Injector/SafeObject.php
  31             case 'allowScriptAccess':
  32                 $attr['value'] = 'never';
  33                 break;
  34             case 'allowNetworking':
  35                 $attr['value'] = 'internal';
  36                 break;
  37             case 'allowFullScreen':
  38                 if ($config->get('HTML.FlashAllowFullScreen')) {
  39                     $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
  40                 } else {
  41                     $attr['value'] = 'false';
  42                 }
  43                 break;
  44             case 'wmode':
  45                 $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
  46                 break;
  47             case 'movie':
  48             case 'src':
  49                 $attr['name'] = "movie";
  50                 $attr['value'] = $this->uri->validate($attr['value'], $config, $context);
  51                 break;
  52             case 'flashvars':
  53                 // we're going to allow arbitrary inputs to the SWF, on
  54                 // the reasoning that it could only hack the SWF, not us.
  55                 break;
  56             // add other cases to support other param name/value pairs
  57             default:
  58                 $attr['name'] = $attr['value'] = null;
  59         }
  60         return $attr;
  61     }
  62 }
  63
  64 // vim: et sw=4 sts=4